Skip to main content

Go Application Analysis

Evaluation: Source code and manifest analysis

The Go coordinate-based matching feature provides the ability to scan and evaluate Go module dependencies referenced in projects that use dep or go mod. Support includes Security, License, Identity data for Go modules found on public repository.

Go Modules

Go modules is the dependency management added to Go using go.mod file for managing modules in the project. The go.sum file (generated and updated automatically by the Go command line tool or IDE) can be used for analysis by Lifecycle scanners. However, this is not recommended as it may include module versions not currently used or included in the application. If the go.sum file is used, we recommend running the go mod tidy command to remove unused dependencies before the analysis.

The more preferred option is to generate a go.list file using the go list command from the project with the string format template function. This file should be the target for the Lifecycle scan.

go list -f '{{define "M"}}{{.Path}} {{.Version}}{{end}}{{with .Module}}{{if not .Main}}{{if .Replace}}{{template "M" .Replace}}{{else}}{{template "M" .}}{{end}}{{end}}{{end}}' -compiled -deps| sort -u > go.listgo list -m all > go.list

The output of the command will result in the first two segments corresponding to the name and version of the dependency being evaluated. v0.0.3 v0.0.0-20180720115003-f9ffefc3facf

Gopkg.lock (dep)

The dep dependency manager generates the Gopkg.lock file. See the documentation for details.

Only [[project]] stanzas containingboth name and version fields will be evaluated.

  digest = "1:a2682518d905d662d984ef9959984ef87cecb777d379bfa9d9fe40e78069b3e4"
  name = ""
  revision = "44968752391892e1b0d0b821ee79e9a85fa13049"
  version = "v0.0.3"

Steps to analyze using the Sonatype Lifecycle CLI

Run a scan

Invoke a CLI scan of a directory or subdirectories containing go.sum or go.list files. Instructions on how to do this can be found here: Sonatype CLI

Example go.sum File v0.0.3 h1:xyM0XyhRQUsf2Y0lEABbOHvLDVjiRkjTxi+dza87M80= v0.0.3/go.mod h1:Yb3eAs+8j4rYcnthK6iK9e/3HDZJ5C2PsYaugkeQR2I= v1.0.5 h1:Iescp+mt88bkIXqmTF2ixM4nlLjo6D9CXX6hRWCz2lc= v1.0.5/go.mod h1:eGB2F605oLiIpo14y0o1EvBWXQ6h0hgW3OMhGJtwk8Y= v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM= v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ= v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= v1.4.0 h1:98SZukVonBOdXatRLa6GSAtp+IeOjY+nmdEZAxImXXc= v1.4.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508= v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=

Steps to analyze using the Jenkins plugin

By default, the Jenkins plugin will not evaluate the Gopkg.lock, go.sum, and go.list files. A custom Scan Target is needed.

Example Pipeline Script with Scan Patterns

nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/Gopkg.lock'], [scanPattern: '**/go.sum'], [scanPattern: '**/go.list']], iqStage: 'build'

To find more information on configuring Jenkins, please go to Link text

Steps to analyze using the Bamboo plugin

Bamboo Scan Targets control what files are examined. To evaluate Go, add Gopkg.lock, go.sum, and go.list to the scan targets via a comma-separated list e.g.

Example Bamboo Scan Patterns


To find more information on configuring Bamboo, please go to Lifecycle for Bamboo